Subscribe to this blog

Follow by Email

Search This Blog

Google redirect - Removing Zeroaccess manually and without any tools.(except to scan)

Due to popular demand to comply with official policy on the non usage of tools such as hitman pro and tdss killer, I am releasing the guide for manual removal of the sirefef Trojan. Please note that this has been tested by me only on 32 bit systems and not on 64 bit systems.The entries created by a zeroaccess infection are given below .The zeroccess configures a service as an autostart (Highlighted)which can be used to target it like a regular virus, instead of the kernel mode rootkit it is. The next step is determining the infected driver and finding a replacement. This can be sone by using a scanning tool such as GMER and TDSSKILLER (Please do not use these tools to remove the virus as it is against policy). Once the infected driver is determined we can replace it using a clean copy from either another location within the PC or elsewhere.1: Delete the service from the list at HKLM\SYSTEM\ControlSet001\Services\2: Delete the process file located at the %systemroot%( its usually numbered and the process can be viewed easily.)3: Delete the file and it autstart from HKU\SID\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellWhere SID can be \S-1-5-21-2025429265-839522115-682003330-1003 or similar. Delete the file listed in the autostart given above : its usually in the %appdata% folder and will need to be deleted forcefully.Restart the computer and perform a full scan, you should be clean of zeroaccesRegshot 1.8.2Comments:Datetime:2011/10/30 17:57:17 , 2011/10/30 17:59:49Computer:TAU-863929E6041 , TAU-863929E6041Username:test , test---------------------------------Keys added:5----------------------------------HKLM\SYSTEM\ControlSet001\Services\c697803HKLM\SYSTEM\CurrentControlSet\Services\c697803HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell----------------------------------Values added:14----------------------------------HKLM\SYSTEM\ControlSet001\Services\c697803\Type: 0x00000001HKLM\SYSTEM\ControlSet001\Services\c697803\Start: 0x00000003HKLM\SYSTEM\ControlSet001\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"HKLM\SYSTEM\CurrentControlSet\Services\c697803\Type: 0x00000001HKLM\SYSTEM\CurrentControlSet\Services\c697803\Start: 0x00000003HKLM\SYSTEM\CurrentControlSet\Services\c697803\ImagePath: "\systemroot\58222860:4086728700.exe"HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\1\0\1\2: 4E 00 31 00 00 00 00 00 5E 3F A2 56 13 00 52 65 63 65 6E 74 00 00 38 00 03 00 04 00 EF BE 5E 3F 0B 52 5E 3F 39 87 14 00 22 00 52 00 65 00 63 00 65 00 6E 00 74 00 00 00 40 73 68 65 6C 6C 33 32 2E 64 6C 6C 2C 2D 31 32 36 39 31 00 16 00 00 00HKU\S-1-5-21-2025429265-839522115-682003330-1003\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "C:\Documents and Settings\test\Local Settings\Application Data\0c697803\X"

So i was recently tasked with removing wireless restrictions from a VP's windows 7 laptop that some infrastructure company had placed while contracted with our network, since he needed to enable setting up of adhoc connections on his laptop and he always got

"The policies of your network prevent the creation of ad hoc (computer-to-computer) networks. For more information, contact your system administrator."

A little bit of probing revealed that adhoc and peer to peer connections were blocked as evidenced by the the command

netsh wlan show filter on an elevated command prompt revealed that adhoc network type was blocked by group policy:

I removed the restrictions by:

1: open services.msc as administrator, scroll down to WLAN AutoConfig:

Open gpedit.msc and browse to the location /Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication Settings and double click "turn off access to all windows update features" and set it to disabled.

We had a migration from Hosted Exchange to Office 365 and i was tasked with automating the local Outloook profile migration for Users:

I Created a GUI utility using powershell which would allow users to create an Office365 Profile and set it as default, I prepared PRF files for each version of office and an autodiscover.xml to be used for local autodiscover and uploaded them to a hosted site:

The PRF file to set settings for Office 365 are hard to find: i used the below entries: